Hi Dean,
You've got a point there, all right. My question is, my private n/w is on a pvt
IP addressing schema with no NAT'ing to a public IP; the mail server, however,
will be NAT'ed to a public IP. How vulnerable does my network become, given this
situation?
Granted, going by your suggestion, I've got a very simple policy to implement
and my DMZ retains it's security
Regards.
Vinod.
Dean Cunningham wrote:
> Why are you putting the exchange server there? You seem to want the pvt
> users to access the exchange server in the dmz rather than putting in on the
> pvt networkm and allow your external users to access via OWA/imap4/pop3?
>
> -----Original Message-----
> From: Vinod P. Thomas [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 10 July 2000 4:22 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: [FW1] Firewall or NT
>
> Hi,
> Thanks a ton for the feedback.
>
> Andrew.....as per your suggestion I tried giving unrestricted access between
> the PDC and the mail server, but for whatever reason, it still didn't work.
> So we undid the entire policy and gave any-any access between the two
> subnets, DMZ and private. Being critical, we could'nt take the chance of
> restricting access again and possibly jeopardising functionality. So, we've
> left the any-any policy b/w DMZ and private; I've got sync'ing happening
> fine but this leaves my network wide open. Added info....my firewall is the
> sole member of a workgroup; it's not part of my NT domain.
>
> This is my requirement:
> Mail(Exchange 5.5) and application server sitting in the DMZ. Users from the
> pvt. n/w need total mail access, thru client s/w (Microsoft Outlook, Outlook
> express and Netscape messenger) or Outlook web access. Also, they r to be
> given web access and probably chat. External users should be able to access
> the mail server
> How do I limit user access while keeping all the necessary openings for
> proper NT functionality??
>
> Also, I'm using Trend Micro Virus wall installed on the firewall machine. I
> know that commn. b/w the a/v and the firewall happens using CVP, but what
> does my policy need to look like?
>
> Awaiting your suggestions.
> Thanks and regards.
> Vinod.
>
> "Greenawalt, Andrew" wrote:
>
> Your going to have to enable RPC, and some netbios stuff between the two.
> The easiest way to handle this is to give the PDC any-any access to the
> exchange box. The key factor is that the NT Domain does not use the
> protocols that you have listed for its synching. How are you getting client
> traffic to the Exchange box, IMAP, POP3 or native exchange? These may be
> working on the basis of a liberal outbound policy? Is your firewall on the
> domain? If it is, it shouldn't be-it's a potential security risk. As a
> test, allow all traffic between these two nodes, and work backwards.
>
> Good luck, and remember the firewall is your friend,
>
> Andy
>
> Andrew Greenawalt
> Cybergnostic.net
> CTO
>
>
> "Vinod P. Thomas" wrote:
>
> Hi,
>
> This is an overview of the network we're working on:
>
> Network IP Addresses NAT
> on FW
> Private pvt. 172.16.X.x /21 hidden
> behind 1 public IP
> DMZ pvt. 172.16.Y.x / 21 static
> to a public IP
>
> The whole network is in the same NT domain.The mail server is in the DMZ,
> running Exchange 5.5..SP3 onWinNT4.0. We just moved the mail server from the
> private network to the DMZ.
>
> The problem is, we don't find database sync'ing happening between the mail
> server(NT BDC) and the PDC which is in the private network. Otherwise, the
> mail server is functioning normally wrt sending and receiving mails. This
> sync'ing is essential, else, a user changing his password will have
> authentication problems the next time he tries logging onto the mail server
> as Exchange uses NT for authentication.
>
> As far as FW policy goes, between the pvt n/w and the DMZ, the following
> services have been enabled:
> http, https, smtp, pop3.
>
> Does this problem have anything to do with the FW or is this an NT-related
> problem? Whichever, could you help me out here?
>
> Thanks and regards.
> Vinod.
> --
> Vinod P Thomas
> Network Support Engineer
> Euclid Network Solutions, Inc.
> 1/36, Hanumanthappa Layout
> Ulsoor Road, Bangalore-560042
>
> Tel : 91-80-5580141/2/3/4
> Fax : 91-80-5580145
> Website : www.euclidnet.com
>
>
> --
> Vinod P Thomas
> Network Support Engineer
> Euclid Network Solutions, Inc.
> 1/36, Hanumanthappa Layout
> Ulsoor Road, Bangalore-560042
>
> Tel : 91-80-5580141/2/3/4
> Fax : 91-80-5580145
> Website : www.euclidnet.com
>
>
> ***************************************************
> This e-mail is not an official statement of the
> Waikato Regional Council unless otherwise stated.
> Visit our website http://www.ew.govt.nz
> ***************************************************
--
Vinod P Thomas
Network Support Engineer
Euclid Network Solutions, Inc.
1/36, Hanumanthappa Layout
Ulsoor Road, Bangalore-560042
Tel : 91-80-5580141/2/3/4
Fax : 91-80-5580145
Website : www.euclidnet.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
